glibc: CVE-2023-5156: Memory leak in getaddrinfo after fix for CVE-2023-4806
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
glibc (Debian) |
Fix Released
|
Unknown
|
|||
glibc (Ubuntu) |
Fix Released
|
Critical
|
Unassigned |
Bug Description
Imported from Debian bug http://
Source: glibc
Version: 2.37-10
Severity: important
Tags: security upstream
Forwarded: https:/
X-Debbugs-Cc: <email address hidden>, Debian Security Team <email address hidden>
Hi,
The following vulnerability was published for glibc.
Filling mainly for tracking of the issue.
CVE-2023-5156[0]:
| A flaw was found in the GNU C Library. A recent fix for
| CVE-2023-4806 introduced the potential for a memory leak, which may
| result in an application crash.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https:/
https:/
[1] https:/
Regards,
Salvatore
Changed in glibc (Ubuntu): | |
status: | New → In Progress |
importance: | Undecided → Critical |
Changed in glibc (Debian): | |
importance: | Undecided → Unknown |
status: | New → Confirmed |
Changed in glibc (Debian): | |
status: | Confirmed → Fix Released |
This bug was fixed in the package glibc - 2.38-1ubuntu5
---------------
glibc (2.38-1ubuntu5) mantic; urgency=medium
* Update from upstream release branche: Fix-leak- in-getaddrinfo- introduced- by-the- fix-for- CV: patch: add an escape hatch in arm64 math-vector.h.
- CVE-2023-4527: Stack read overflow with large TCP responses in
no-aaaa mode
- CVE-2023-4806: use after free in getcanonname
- LP: #2031909: Fix oversized __io_vtables
* d/p/u/0001-
Cherry-picked to fix a regression in one of the previous CVE fixes
(LP: #2037516, CVE-2023-5156)
* d/p/lp2032624.
This should help fixing multiple FTBFS (LP: #2032624)
-- Simon Chopin <email address hidden> Wed, 27 Sep 2023 16:38:18 +0200